By: Stephanie Chaumont (CISSP, CISA, Security+)
Publication: The Kansas Banker , July 2017
In the past, the Board has always been expected to make strategic decisions, choosing what was best for the overall success of their institution. For most institutions, these decisions were made with little information or regard to cybersecurity. As threats to our information security evolve, so do examiner expectations for the Board of Directors.
With the release of the FFIEC’s Cybersecurity Assessment Tool in 2015, we saw specific examiner suggestions for improving Board oversight of an institution’s cybersecurity program and posture in their Overview for Chief Executive Officers and Board of Directors. The picture painted throughout all the suggestions provided is that of a Board who understands cyber risks and makes risk-based decisions. That picture may or may not be an overwhelming shift for your institution, but I think for the vast majority of us, there is room for growth in this area. For institutions with a large gap their current Board oversight of cybersecurity versus where they need to be, here are a few things to start with: